General

  • Target

    a8df709495ab9ea938880b1ebe744b33bc163b2fe576ce7e585caef7c846b718.exe

  • Size

    11.5MB

  • Sample

    240725-fqz4jatblh

  • MD5

    7a4736888da0afc969d14e920c115533

  • SHA1

    41d2322ab981f541962d862b693b6d203d4669b0

  • SHA256

    a8df709495ab9ea938880b1ebe744b33bc163b2fe576ce7e585caef7c846b718

  • SHA512

    d952c762938859acfac4b36ab5f1bed7d332d041a1ad33a887fabda173919ad15113f5d2a9a9d541dca0ec364c0f357ec9b76064fe38990fa17eb4c640511cec

  • SSDEEP

    196608:4LXS7IPQPNLUQ6S8as8C/EQx4K2rikIwNLu7vi991uJBV1ptdYQbRti4g:4jQIIPNmA0rAc4u76VuJxpt59t9g

Malware Config

Targets

    • Target

      a8df709495ab9ea938880b1ebe744b33bc163b2fe576ce7e585caef7c846b718.exe

    • Size

      11.5MB

    • MD5

      7a4736888da0afc969d14e920c115533

    • SHA1

      41d2322ab981f541962d862b693b6d203d4669b0

    • SHA256

      a8df709495ab9ea938880b1ebe744b33bc163b2fe576ce7e585caef7c846b718

    • SHA512

      d952c762938859acfac4b36ab5f1bed7d332d041a1ad33a887fabda173919ad15113f5d2a9a9d541dca0ec364c0f357ec9b76064fe38990fa17eb4c640511cec

    • SSDEEP

      196608:4LXS7IPQPNLUQ6S8as8C/EQx4K2rikIwNLu7vi991uJBV1ptdYQbRti4g:4jQIIPNmA0rAc4u76VuJxpt59t9g

    • Blackmoon, KrBanker

      Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    • Detect Blackmoon payload

    • Detect Neshta payload

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks